Re: [SRI] Updates to the spec and outstanding issues from Devdatta Akhawe on 2015-03-10 (public-webappsec@w3.org from March 2015)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 10 Mar 2015 10:43:39 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_2FuF2UWV_iAjZF-AxD0KzANRP=ubr8mqbT4U4wFD8M_Q@mail.gmail.com>

cool! It seems setting the "nosniff" flag for the algorithm in addition to
checking the content-type matches the specified type should be enough.

On 10 March 2015 at 01:25, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Mar 10, 2015 at 12:03 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
> > The SRI spec currently doesn't enforce the mime-type and should say
> > something like "insist on this mime type, even after sniffing".
> > Unfortunately, content-type sniffing (afaik) isn't really spec'ed so it
> is
> > not clear how to put that in the spec.
>
> https://mimesniff.spec.whatwg.org/ is what browsers implement though
> there's various differences still unfortunately.
>
>
> --
> https://annevankesteren.nl/
>

Received on Tuesday, 10 March 2015 17:44:27 UTC